Lucene search

K
debianDebianDEBIAN:DSA-5459-1:D8805
HistoryJul 25, 2023 - 9:07 p.m.

[SECURITY] [DSA 5459-1] amd64-microcode security update

2023-07-2521:07:11
lists.debian.org
56
bullseye
tavis ormandy
amd
debian
microarchitectural flaw
cve-2019-9836
bookworm
security update

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.005

Percentile

76.5%


Debian Security Advisory DSA-5459-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
July 25, 2023 https://www.debian.org/security/faq


Package : amd64-microcode
CVE ID : CVE-2023-20593
Debian Bug : 1041863

Tavis Ormandy discovered that under specific microarchitectural
circumstances, a vector register in "Zen 2" CPUs may not be written to 0
correctly. This flaw allows an attacker to leak register contents across
concurrent processes, hyper threads and virtualized guests.

For details please refer to
https://lock.cmpxchg8b.com/zenbleed.html
https://github.com/google/security-research/security/advisories/GHSA-v6wh-rxpg-cmm8

The initial microcode release by AMD only provides updates for second
generation EPYC CPUs: Various Ryzen CPUs are also affected, but no
updates are available yet. Fixes will be provided in a later update once
they are released.

For more specific details and target dates please refer to the AMD
advisory at
https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7008.html

For the oldstable distribution (bullseye), this problem has been fixed
in version 3.20230719.1~deb11u1. Additionally the update contains a fix
for CVE-2019-9836.

For the stable distribution (bookworm), this problem has been fixed in
version 3.20230719.1~deb12u1.
We recommend that you upgrade your amd64-microcode packages.

For the detailed security status of amd64-microcode please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/amd64-microcode

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.005

Percentile

76.5%